@NeilD: AFAIK, only the elements (and policies) are defined in AD, the actual values are stored in NTFS on the file server. So the cost of enforcement is spread across the file servers, using the file attributes from NTFS and the user claims from the PAC in their Kerberos ticket.

I've got a concern with the "no docs in the box" implementation. When I installed VS11, I had no clue that it was going to immediately download hundreds of megabytes of "default" documentation, which exceeded my Internet Service Provider's limit for the day and left me without the internet for 24 hours.

1. If there's a minimum set of documents, they should be "in the box". This at least lets me start using the help immediately.

2. If you are going to download something, the user needs to know in advance, the user should be told how big the download is, and the user needs to be able to approve or disapprove.